Configure it to reject instead of discard.
On 13 Apr 2016 10:55 am, <[email protected]> wrote:
> > I'm assuming you don't want to let the sender know that you detected the
> virus.
>
> yep
>
> > there's no reason to block the sender for subsequent deliveries in your
> firewall either, as the sender will notice that too (depending on the
> sender noticing actually anything you're doing, which is questionable when
> it's a spammer).
>
> When the virus attempt is sent repeatedly, it does chew server resources
> to be detected. clamav has to run "on it" after all.
>
> My goal is to to detect the sender IP, and block those
> repeat-send-receive-scan loads.
>
> > If the REJECT log message does have an ip address in the response, I
> suggest start using that.
>
> That's the current problem. It's a DISCARD, not a REJECT. There's no
> REJECT message with IP. Just the discard notice without it.
>
> Obviously the IP address is, at some point in the transaction, correlated
> to that message. Need to figure out how to preserve & get at that info.
>
> > I thought f2b >= 0.9 could now do a multi-line match so you could pick
> up on the NOQUEUE message and the REJECT message but, at a guess, you'd
> need to match the process ID between the two messages to make sure the
> messages are connected.
>
> Saw that too. Haven't figure out yet how to make sure it gets ONLY the
> right, correlated 'other line'. The procID match sounds good - not sure
> yet if or how you can do that.
>
> > I'm not sure if this really covers your issue, but Wietse once suggested
> the following:
>
> Adding a header with the IP could be an option. I think I'd have to have
> Amavis add that header WHEN it detects/discards the virus, get that passed
> back to the Postfix log, and then have f2b detect it there.
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
